Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« January 2010 | Main | March 2010 »

February 26, 2010

The Disaster That Keeps on Giving (Con Artists) Permalink

Immediately after the devastating Haiti earthquake, the expected phony charity spam filled the 'tubes. But just because the Haiti recovery may have slipped from the headlines doesn't mean that crooks have given up on it. Here is a Haiti recovery donation scam email I just saw:

From: "Richard Zeeman" <info@savehaitiworld.org>
Subject: Please Read

Save Rural Haiti World Wide.
177 Chesterfield Road South

We create your indulgence to introduce ourself.We are a group of young minded professional in our own individual rights who has come together from various backgrounds to raise funds to save survivors of the Haiti Earthquake.Due to the present Logistic problems such as these quotes....

Air Force Gen. Douglas Fraser, the four-star chief of U.S. Southern Command, told reporters yesterday the U.S. military was initially “focused on getting command and control and communications there so that we can really get a better understanding of what’s going on.”

(Read More http://www.wired.com/dangerroom/2010/01/earthquake-hit-haiti-still-offline-military-

It’s not just the airport where connectivity is lost. The headquarters for MINUSTAH, the United Nations Stabilization Mission in Haiti, partially collapsed, and a significant portion of its communications network was severed.

How Do We Assist? We have on ground in various villages, locals who help us to ferry relief materials dropped by United Nations helicopters in the air to survivors in their various camps in the interior part of Haiti as government and international attention is only on Port-au-Prince.We need your financial donation to continue the delivering of the relief materials to those who need them the most.

Our activities are approved and monitored by the United Nations and the British Red Cross Society.

Contact us on how you can help by donating to this laudable cause by return email and phone number above.

Thank you for your time.


Mr.Richard Zeeman

There is no such organization, Save Rural Haiti World Wide. There is no registered domain, savehaitiworld.org. The Reply-To: address is to a free gmail account. The phone numbers supplied are cell phone numbers.

This scam is probably being run by 419ers who are diversifying their outgoing messages. They want to get you on the hook and will drain you for everything they can through their proficient con artistry.

Haiti still needs help, but there are plenty of legitimate organizations you've heard of that provide real aid.

Posted on February 26, 2010 at 07:30 AM

February 25, 2010

The Plural of "Doofus" Permalink

I wrote yesterday about an inept Bank of America phisher who couldn't shoot straight. Today another guy — a few bits short of a byte — was having problems with his attempts either at phishing or PC infection (bold face added).

Subject: PayPal - Account Review. PayPal team identified some unusual activity in your account!

As part of our security measures, we regularly screen activity in the
banking system. During a recent screening, we noticed an issue regarding your credit card account. It may have been accessed by an unauthorized third party.

As a precaution, we are requesting additional verification of your identity and payment information in order to protect your credit card against future unauthorized transactions.

Please download the Attachments below and complete the requested information. The situation will be immediately reviewed by the fraud department and we will remove any holds on this account.

Copyright © 1999-2009 PayPal. All rights reserved.

Problem was, there were no attachments to the email. No form, no link, no nothing. Just money wasted by the sender, as well as wasted global internet bandwidth, wasted server processing by spam filters, and wasted disk space on those servers who let this junk through.

I'm happiest about wasting the sender's resources. It also forced me to look up the plural in the dictionary: doofuses.

Posted on February 25, 2010 at 02:48 PM

February 24, 2010

My Favorite: The Inept Phisher Permalink

For the past few hours, some wannabe crook has been spewing out incomplete Bank of America phishing messages. Here's as far as he gets:

From: "Bank of America" <support@alert.bankofamerica.com>
Subject: Important Information Regarding Your Account

Dear Member,

As part of our efforts to provide a safe and secure environment for the
online community, we regularly screen account activity.
Our review of your account has identified an issue regarding its safe use=

The messages originated from a variety of bot-netted computers around the world. Aw, too bad the link to his phony login page didn't make it into the message. All that work — and some botnet rental payment — for naught. Boo hoo.

Posted on February 24, 2010 at 07:38 PM

February 19, 2010

Fake Amazon Email as Malware Delivery Vehicle Permalink

Amazon is typically abused by phishers who want to grab login credentials (and drain your credit card by hijacking victims' accounts). A non-phishing message arrived today that had a piece of malware attached. Here is the message part:

From: "Amazon Manager Reed Roth" <shop.order@amazon.com>
Subject: Amazon Shop! Your order has been paid! Parcel NR.3611.


Thank you for shopping at Amazon.com
We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered " Apple MacBook MB404 "

You can find your tracking number in attached to the e-mail document.

Print the postal label to get your package.

We hope you enjoy your order!

Other variants of this message feature different products, such as a Sony VAIO computer.

The attached file, named Postal_package_NR926.zip, has weak anti-virus coverage at this hour. I believe the social engineering aspect of this fake message will be fairly successful in getting recipients to open the .zip file (and ensuing .exe file).

If you didn't order it, Amazon isn't gonna ship it.

Posted on February 19, 2010 at 12:57 PM

February 18, 2010

(In)Credible PayPal Phishing Attempt [Updated] Permalink

I'm glad to say that the destination to which the bogus PayPal payment notice leads was quickly taken down. But that doesn't mean that the message won't surface again soon with a different link to a different hijacked web site serving as a PayPal login credentials ripper offer.

The message's Subject: line,

You sent a payment of $40.00 USD to cleverbridge, Inc

looks like it could be from PayPal. In my experience, however, PayPal's notifications of having sent a payment do not include the payment amount in the Subject: line. Such notifications are more typically sent as receipts for your payments.

In any case, the message has a fair amount of HTML/CSS design behind it, adding to its perceived credibility:

Phony PayPal payment notice

There really is a company called Cleverbridge, but it appears to be more involved with back-end e-commerce computing, and not selling to consumers — certainly nothing for $40, whether it be virtual food or otherwise.

This type of message is exactly the kind that gets unsuspecting individuals — infuriated at having been charged for something they didn't buy — to follow the link to cancel the transaction. The link, however, leads to a phony PayPal login page, where the victim will feverishly enter user ID and password to cancel the transaction (a transaction which doesn't exist).

However, a smart potential victim will know to use a previously saved bookmark to log into PayPal manually, and inspect his or her account. Of course, there will be no record of this $40 payment because it doesn't exist. And the login credentials will be kept out of crooks' hands.

Update (19 Feb 2010): The same message arrived today, with the URL going to a freshly minted .org domain whose name includes "paypal". Right on schedule.

Posted on February 18, 2010 at 03:47 PM

February 16, 2010

Money Mule Recruitment Permalink

When crooks steal electronic banking login credentials via numerous PC infections, they log into the accounts and need to grab as much dough as they can as quickly as they can without causing electronic alarm bells to go off. To make the scheme work, the crooks need a way to extract the cash and have it flow to them in an untraceable way. Obviously, a direct transfer to their own bank accounts wouldn't work. Instead, they recruit individuals to act as "payment processors."

Funds are withdrawn from the hijacked bank account via electronic transfers into the accounts of these payment processors — usually in amounts under $10,000 to avoid being closely monitored by the banks. The payment processor must then quickly wire most of that money to their employer via Western Union or similar cash-based service. The processor gets to keep ten or so percent as commission (for a few hours, maybe).

The reason for haste is that the true owner of the money or his bank will eventually detect the fraudulent withdrawal. When that happens, the bank demands its money back from the payment processor's account in full. The processor's bank will usually comply, ripping a huge hole in the processor's personal bank account.

This is money laundering, pure and simple. The "payment processor" is a money mule, the financial equivalent of a drug smuggler. Surprisingly, I don't hear of many cases in which a money mule is prosecuted for his or her part in the fraud. But even without The Man coming down on them, money mules pay a hefty price.

Recruiting payment processors seems to be pretty easy, especially in these days of hard economic times. And when the crooks hide behind the flash and glamor of a real company, the "job" offer looks legitimate.

Shown below is an image of the beginning of a (virus-free) PDF document that claims to come from Codec in Ireland:

Money mule recruitment PDF file

I show the PDF file because it includes the logo art and real address of an Irish company called Codec. The From: field of the email message delivering this PDF file is an address at codec.ie, Codec's domain. Remember this, because there is a kicker at the end of this piece.

First of all, is the "real" Codec a real company? Their web site claims the company has been around since 1985. The name (which is new to me) comes from the compression of "Corporate" and "Decisions". Their domain name registration doesn't reveal a creation date, so that's no help.

With all due respect to the company if it is genuine, the consultancy buzzwords throughout the large web site are quite vague and sound almost made up. My eyes started to glaze over before I got very far. Although there are some traces of legitimacy on the site, I don't have the time to investigate this as thoroughly as I'd like. And, as computer media types know, searching for "codec" will not get me very far. In any case, to the untrained and unsuspecting eye, the web site looks very legitimate. That's all the recruiter needs.

Here is the full, unedited text of the PDF file, just so you can see how today's money mule recruiter is appealing to the masses:

Good Day,

We are the recruiting team at Codec, a registered company in Ireland with branches all over Europe. We are trying to expand our business to the USA and CANADA. It has been expensive and stressful for us to catch up with meetings and receive payment from clients outside the United Kingdom. We have decided to recruit agents in the united state of America that will represent our establishment in the aspect of record keeping and client's payments processing.

Customers in America will be asked to make payments for orders to you. You will record, process and remit the money to the accounting department. Payments will be made in cash, money orders and verified checks so you may need to have a bank account to apply for this position.

Note that only 21 years of age and above with good use of English can apply for this job offer. We need from you utmost honesty, trust, steady communication, easy access to the internet and a mobile phone number for quick communication. We do not mind you having another job, as this is a part time job but you need be committed and take our business serious at all times.

If you accept to work for us, you will receive $1000 (One Thousand Dollars Only) as salary every month ending and you are also entitled to remove a 10% commission off every transaction you make. i.e payment collected for the company through you.

If interested please reply with the following information. Your information will be processed within 48hrs and you can start work immediately

* Full Name.
* Residential Address (full address, zip code, state,)
* Contact Phone number(s).
* Cell number (For sms notification of assignments)
* Email Address
* Current Job
* Age

Charles Maybin
Human Resource Manager

Most recipients of this job offer will miss two significant problems with the message's authenticity.

First, although the company's physical address is in Ireland, the response telephone number is in the U.K. Of course, most of America's geographically-challenged folk don't know that Ireland is not part of the United Kingdom.

Second, although the From: address is a codec.ie address, the Reply-To: header is to a free sify.com email address.

Sadly, one statement in the offer letter may be true: that the crooks have so many bank accounts to hijack, that they're stressed in finding enough unwitting accomplices to complete the thefts.

Posted on February 16, 2010 at 10:56 AM
Abusing the WebMD Brand Permalink

The outright deception in the following email body is enough to make one's blood boil:

Phony WebMD email message

This message was sent to a role account that is on plenty of spam lists, although I personally don't use it for any purpose. I have visited the WebMD web site in the past, but I couldn't have possibly given them the address to which this spam was directed (and thus the "You are subscribed as..." was the first flag that this was phony — even before downloading the Viagra image).

It's clear that this Chinese medz house is using the good reputation of WebMD to trick recipients into trusting the message. Except for information in the headers, the piece looks to be CANSPAM compliant, supplying WebMD's identity and a link to unsubscribe (the link, however, goes to the Chinese site, identifying/confirming the unsubscriber's email address). Having not visited the spamvertised site, I can't say whether the site builds on the fake WebMD tie, but I doubt it. In any case, the spammer is hoping the spam makes their site look like it's endorsed by WebMD.

I don't know how well-funded WebMD is, or if they'd have any success tracking down these notorious Chinese spammers. They'd better look up "high blood pressure" on their own site before proceeding.

Posted on February 16, 2010 at 09:02 AM

February 13, 2010

Non-American 419ers Permalink

I don't see every 419 scam that courses through the 'tubes, but of the ones I see, there is clearly a non-American focus to their pleas. By that I mean that the originators and writers of the scams don't have a good feel for things that would get more Americans' attention.

In the past, we've had phony lotteries supposedly associated with the 2006 African Cup. Today I saw another phony lottery winning notification claiming to be affiliated with the 2010 FIFA World Cup in South Africa. The message included a (safe) PDF file that showed two distorted pictures: one of Nelson Mandela; the other of a pair of FIFA officials with their logo in the background. In particular, I got a laugh from this line:

Note: This program is being sponsored by the FIFA SUPPORT TEAM, to create awareness for the up coming 2010 FIFA world Cup, which is to be host by South Africa.

The problem for these crooks is that they try to appeal largely to gullible Americans (although Americans do not have a monopoly on being 419 victims) using a sport that has very low visibility in the USA. There is far more awareness here about the Super Bowl (American football), World Series (baseball), NBA Finals (basketball), and the Stanley Cup (hockey). On the other hand, it might be difficult to spin a story that explains why there would be a Dutch lottery associated with an American sports league (except perhaps trying the "create awareness" in other parts of the world).

But you know what? I think they could do it. After all, if they can get suckers to respond to a Nigerian woman dying of prostate cancer (yes, this 419 sob story actually circulated for a time), they can connect any two dots.

Posted on February 13, 2010 at 09:12 AM
New Gadget, New Crappy Rewards Programs Permalink

We've seen it before (here and here from two years ago). "Click here" to get a free whatever. Or "Testers Wanted."

The catch? "Participation Required."

The gadget du jour is the Apple iPad:

iPad Testers ad

Read the older entries to learn how these scams work and cost participants money. Needless to say, the programs have nothing to do with testing an iPad.

Posted on February 13, 2010 at 08:46 AM

February 12, 2010

More Canadian Pharmacy Trickery Permalink

Here is yet another message trick that the so-called Canadian Pharmacy (whose internet operations are largely in China) uses to lure you to their web site:

From: Support <Veronika.Collins@support.amazon.com>
Subject: Confirm Order N34738

Thank you.

Order (s/n: 9719178444) Accepted.

The link is to a numeric IP address which automatically redirects visitors to the Canadian Pharmacy sales site. The message content provides just enough vague information to enrage visitors to click to find out about some order that they never placed.

Does this tactic of tricking visitors to your web site really work to convert to sales? Is a trickery victim supposed to think, "Oh, you guys really got me. The joke's on me. I guess I'll order some boner pills while I'm here." Maybe the Chinese have a different sense of humor than I do.

Posted on February 12, 2010 at 08:36 AM

February 07, 2010

Short and Sour 419er Permalink

We're so used to the long sob story associated with 419 advance-fee scam email messages, that the brevity of one I saw today is almost refreshing. Almost.

Subject: Contact Scarlet Courier Company For Deliver Your Package


I just received a call from the Director of Scarlet Courier Service Company Ghana that the consignment box that was sent to you was returned due to wrong address, this consignment box contained your US$850,000,00. Eight Hundred And Fifty Thousand united state dollars, Your compensation fund.

Therefore call the director (Jeffery Walter) on Tel: (+233 - 248-xxx-xxx ) email him at: ([removed]@diplomats.com) and give him your correct address and Phone number.
Use this code (XA-8550) as the subject of your mail to them for identification.

Yours Truly.
Mr. Victor Kwasigha

We who follow email scams recognize this one for what it is just from the Subject: line. But I have seen several independent stories recently about retirees getting caught up in the crooks' sticky webs. The dream of a quick buck dropping into one's lap — and the immense skill 419ers have in stringing victims along — drive already financially-strapped seniors to the poor house. It becomes impossible to convince a victim that no money will ever flow in his or her direction.

Posted on February 07, 2010 at 03:58 PM